PoetRAT
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
PoetRAT has used HTTP and HTTPs for C2 communications.(Citation: Talos PoetRAT October 2020) |
.002 | Application Layer Protocol: File Transfer Protocols |
PoetRAT has used FTP for C2 communications.(Citation: Talos PoetRAT October 2020) |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
PoetRAT has the ability to compress files with zip.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
PoetRAT has added a registry key in the |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
PoetRAT has called cmd through a Word document macro.(Citation: Talos PoetRAT October 2020) |
.005 | Command and Scripting Interpreter: Visual Basic |
PoetRAT has used Word documents with VBScripts to execute malicious activities.(Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020) |
||
.006 | Command and Scripting Interpreter: Python |
PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.(Citation: Talos PoetRAT April 2020) |
||
.011 | Command and Scripting Interpreter: Lua |
PoetRAT has executed a Lua script through a Lua interpreter for Windows.(Citation: Talos PoetRAT October 2020) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
PoetRAT has used a Python tool named Browdec.exe to steal browser credentials.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
PoetRAT used TLS to encrypt command and control (C2) communications.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
PoetRAT has used ftp for exfiltration.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
PoetRAT has the ability to hide and unhide files.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
PoetRAT has used a Python tool named klog.exe for keylogging.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
PoetRAT was delivered with documents using DDE to execute malicious code.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
PoetRAT has `pyminifier` to obfuscate scripts.(Citation: Talos PoetRAT October 2020) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
PoetRAT was distributed via malicious Word documents.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
PoetRAT has used spearphishing attachments to infect victims.(Citation: Talos PoetRAT April 2020) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of "License.txt" and exiting.(Citation: Talos PoetRAT April 2020) |
References
- Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.